On the Security of Some Authentication Mechanisms from Windows

CONTI’2008 The 8th INTERNATIONAL CONFERENCE ON TECHNICAL INFORMATICS, 5-6 June 2008, TIMISOARA, ROMANIA

On the security of some authentication mechanisms from Windows

Bogdan Groza*, Andrei Alexandroni**, Ioan Silea***, Victor-Valeriu Patriciu****

*Politehnica University of Timisoara, Faculty of Automatics and Computers, Timisoara, Romania, E-Mail: [email protected], WWW: http://www.aut.upt.ro/~bgroza/

**Pensive S.A., Brussels, Belgium, E-Mail: [email protected]

***Politehnica University of Timisoara, Faculty of Automatics and Computers, Timisoara, Romania, E-Mail: [email protected], WWW: http://www.aut.upt.ro/~isilea/

****Military Technical Academy, Department of Computer Engineering, Bucharest, Romania, E-Mail: [email protected], WWW: http://www.mta.ro/conducere/victor_patriciu.php

Abstract – The paper investigates some authentication practice and offer a stronger security level. The main ideea mechanisms used in Windows. In particular, the NTLM is that the identity of a user is verified based on a response authentication protocol, which is commonly used in to a particullar challenge that is usually a random value, several solutions from Microsoft, is analyzed. The NTLM therefore, even if an attacker captures a response for some authentication is completely unsafe in several variants of challenge, it can not be used for subsequent impersonation use and some of its weaknesses previously known. A of the user, because future challenges will be different. critical analysis is done, the weaknesses are explained Challenge-response protocols can be built on both and the safe solutions are underlined. As a practical symmetric or assymetric cryptographic primitives. Zero- example it is shown how the NTLM authentication from knowledge protocols are the most advanced authentication SharePoint based portals can be exploited to steal protocols, however, they are more computational intensive passwords and how to configure the NTLM for a safe use. and more difficult to implement, and because of this are not This analysis is relevant as SharePoint becomes widely frequent in practice. As will be discused in what follows, used and NTLM is still the default option and the only both password based authentication and challenge-response authentication mechanism available when there is no authentication are present in Windows. support for Kerberos. Nevertheless, a comparison between the password based authentication from UNIX based OS Although there are numerous solutions with a strong and Windows is done. foundation and provable security, still protocols that are known to be insecure continue to be used in practice. One Keywords: authentication, cryptography, NTLM, example of such protocol is the NTLM (NT LAN protocol. Manager) protocol used by some Microsoft products with the SMB protocol. NTLM is a challenge-response protocol consisting of three phases between the client and the I. INTRODUCTION server: the negotiation phase, when the client sends a message to the server; the challenge phase, when the server Authentication, and in particular entity authentication or responds to the client message with a challenge and the identification, is a major security objective nowadays as authentication phase, which is the most important part proving someone’s identity is the most common action in when it comes to cryptography. In the authentication phase all systems. Also there is a large variety of authentication the client replies to the server challenge and the access to protocols based on cryptographic techniques, which have the requested resource is granted or denied. More details on been studied for a long time by the security community, the protocol will be given in the forthcoming section. some of them are known to be secure others are known for Although some of its weaknesses are known [4], [10], [14] their weaknesses. A basic textbook [3], [12] or a survey [5] it continues to be used in several situations. One such can be consulted for more on authentication protocols. example, that will be outlined in this paper, is the use in web portals developed through Microsoft SharePoint. It may be relevant to note that there are three types of entity authentication mechanisms: password based, challenge- SharePoint (http://www.microsoft.com/sharepoint) is the response and zero-knowledge. Password based document management and collaboration platform from authentication is the most commonly used mechanism and Microsoft. It is a platform used by organizations to it is based on the use of a secret known as password. facilitate content management across the enterprise, to Because passwords can be stolen, one-time passwords are easily manage and track business processes and to provide an improved mechanism which makes passwords valid collaborative spaces for different groups of users. only once, however their use in practice is limited. SharePoint is becoming one of the preferred solutions for Challenge-response mechanisms are also frequent in companies because of the ease of use and the large number 1 of issues addressed by its features. The first versions of the 1. Client→ Server : Type 1 Message product were released in 2001, advancing over time to the current versions which are Windows SharePoint Services 2. Server→ Client : Type 2 Message (includes the 64 bit 3.0 - a free product coming as an additional component of challenge from the server) Windows Server 2003 and Windows Server 2008, and 3. Client→ Server : Type 3 Message (includes the Microsoft Office SharePoint Server 2007 (MOSS 2007) - response from the client) the full-featured product coming as an additional server. SharePoint solutions can be used in a large variety of environments, starting from collaborative spaces for The type 1 message is used only to negotiate the type of universities to eGovernment resource sharing platforms. authentication and for this exposition details are not useful. The type 2 message contains a challenge from the server Regarding authentication on the SharePoint web which is an 8 byte Nonce. The type 3 message, which is the application, which is a practical example for this paper, response to the challenge, is constructed different for all there are two main possibilities of configuration: NTLM five variants. authentication (which is the default), and Kerberos authentication. A great number of real world Three variants are based on the LM Response with DES [7] implementations of SharePoint use NTLM authentication, as the underlying cryptographic primitive. The response although the ticketing-based protocol Kerberos is known to stage for LM Response and NTLM Response is the be more secure. NTLM is the preferred choice for the following: authentication protocol to be used mainly because it does not require any additional configurations. On the other side, Client→ Server : Kerberos requires a trusted connection to the Active DESKK123( challenge) || DES( challenge) || DES K( challenge) Directory domain Key Distribution Center for both the client and the server. The client, willing to authenticate by In the case of NTLM2 Session Response the challenge is using Kerberos, in order to get access to a protected concatenated with a Nonce generated by the client in order resource, must construct a service principal name, which to avoid dictionary attacks. This value is hashed using should be previously configured (by using the Setspn.exe MD5 [13] and only the first 64 bits are preserved to obtain tool included in the Windows Support Tools for example). the session hash NTLM is still used in some situations: client is sessionHash= ⎢⎥ MD5|| challenge Nonce : authenticating to a server using an IP address; client is ⎣⎦( ) 64−bits authenticating to a server that belongs to a different Active Directory; no Active Directory domain exists; if a firewall Client→ Server : restrict the ports required by Kerberos. Consequently, in DES sessionHash|| DES sessionHash || DES sessionHash many cases, the default NTLM authentication is chosen for KK123( ) ( ) K( ) SharePoint implementations. The keys for the DES encryption in step 3 are based on a The paper is organized as follows. Section II holds an 16 byte KeyMaterial generated from the user password. For overview of the NTLM authentication protocol. In section the LM Response the first 14 bytes of the password are III some design weaknesses of the used cryptographic used to create a DES key (if the key is smaller than 14 primitives and of the protocol are presented, also a bytes it is null padded). Then these two values are used as comparison between the pasword based security from keys to encrypt the constant “KGS!@#$%” also called Windows and Unix is done, and the insecurity of NTLM “magic constant”. This encrypted value is also known as for use in SharePoint solutions is inspected. Section IV the LMHash: holds the conclusions of the paper. KeyMaterial =

DESKE1( password )("KGS!@#$%") || DES KE 2( password ) ("KGS!@#$%") II. AN OVERVIEW OF THE NTLM AUTHENTICATION Here, by KE1 and KE2 we denote two key extraction functions which are used to extract the DES keys from the Besides the anonymous response variant in which no password. These functions perform some non- authentication takes place, five variants of authentication, cryptographic operations on the password which are not based on the response for the given challenge, are relevant, except for the fact that all letters are turned to available: LM Response, NTLM Response, NTLMv2 upper-case (for details see [9]). For the NTLM Response Response, LMv2 Response, NTLM2 Session Response. A and NTLM2 SessionResponse the password bytes are complete description can be found in [9] and another good simply passed through the MD4 hash function to obtain: reference is [10]. All five variants are challenge-response mechanisms based on the following three round paradigm: KeyMaterial= MD4( password )

Now these 128 bits are null-padded with 40 bits and used However the problem is even bigger at the generation of to create the 3 DES keys, i.e. K1, K2, K3, as follows: the DES keys since the third key, i.e.

K3(= Transform KeyMaterial15,16 ||0) 17,22 , has only 16 bits K1(= Transform KeyMaterial1,7 ) of random information while the last 40 bits are all set to 0.

K2(= Transform KeyMaterial8,14 ) This finally leads to negligible entropy for the third key which can easily be found by a brute force search. This K3(= Transform KeyMaterial ||0) 15,16 17,22 makes possible to retrieve the bytes from 17 to 19 of the key material by only testing 65536 values, this can be done

The notation 017,22 means that the bits from 17 to 22 are all in less than a second on a modern computer. Recovering set to 0. These three mechanisms are also suggested in these 2 bytes of the key material further makes possible to figure 1. mount a more efficient dictionary attack on the password by using an offline computed dictionary of passwords and Also, there are two variants based on the LMv2 Response, comparing the recovered last 2 bytes of the key. Although depicted in figure 2, which use HMAC-MD5 [1] as the there will be many passwords that match the last 2 bytes, underlying cryptographic primitive. The only difference still the number of candidate passwords from the dictionary between them is that one is using a client Nonce while the is reduced. As the third key is trivial to break due to its low other is using a client Blob which besides the Nonce also entropy, all that is needed is to recover the first two DES contains more specific information such as target keys. This should not even require twice the time needed to information and current time in milliseconds. The 3-rd crack DES as the search is done over the same encrypted round of the authentication protocol in this case is the message, i.e. the challenge, and just the output of the DES following for LMv2 SessionResponse and NTLMv2 permutation should be compared with two different values. SessionResponse (for NTLMv2 clientNonce is replaced by clientBlob) : LMResponse NTLMResponse NTLM2SessionResponse

password password challenge, client-nonce Client→ Server : password challenge challenge

HMAC− MD5||HMAC− MD5|| user target ( challenge clientNonce) MD4() password () LM-Hash NTLM-Hash Session-Hash

lmhash ntlmhash sessionhash This completes the description of NTLM and its variants. In the next section its cryptographic vulnerabilities will be LM-Response investigated. Type 3 Response III. CRITICAL COMMENTS AND EXPLOITING

VULNERABILITIES IN SHAREPOINT PORTALS Fig. 1. Block diagram of authentication mechanism based on the LM- Response. A) Cryptographic vulnerabilities LMv2Response NTLMv2Response Of course, for the variants based on the LM Response, the first obvious problem is the use of DES which is an target, user, password target, user, password target-information, client-nonce challenge outdated encryption function. The use of DES is of course client-nonce NTLMv2-Hash Create-Blob inappropriate for these days, as attacks over this function challenge started to be successful in the late nineties. Also there were a lot of speculations of the design of DES and some details ntlmv2hash blob on the design criterias were made public only in the nineties [6]. Still, the techniques of differential LMv2-Response cryptanalysis proposed by Biham and Shamir [2] and linear cryptanalysis proposed by Matsui [11] do not represent a Type 3 Response threath for the use in a password based authentication, as they are chosen palintext attacks wich require large amounts of plaintext-chipertext pairs. But nowadays, from Fig. 2. Block diagram of authentication mechanisms based on the LMv2- March 2007, dedicated machines such as Copacobana can Response break DES in an average time of 6.4 Days (http://www.copacobana.org/). Also, the Deep Crack machine from Electronic Frontier Foundation is capable of Even in the case of the NTLM2 SessionResponse when the testing more than 90 billions DES keys per second, which client-nonce is used, it is still possible to mount dictionary means that the entire key space can be exhausted in about 9 attacks on the last two bytes of the key as it is easy to days, the average time for finding a key will be 4.5 days observe that the key material is independent on the client (http://w2.eff.org). nonce. As for LM Response and NTLM Response, dictionary attacks can be done over the entire passwords as

3 there is no nonce from the client. Therefore we can timings can be achieved. By using the results from table 1, conclude that all variants based on the LM Response are it is easy to determine for example that breaking a 6 char vulnerable to a dictionary attack. The LMHash itself is also alphanumerical password can be done in an average time of insecure because the two values computed with DES are 2 days for the NTLMv2 Response. cryptographically independent and attacks can be mounted separately on each of them. For example if a password has 10 characters it will be as strong as having only 7 TABLE 1. Computational time for the 5 response types from characters since finding the last 3 characters can be done in NTLM (number of responses computed per second). a matter of seconds and only finding the first 7 characters CPU Intel T2300, CPU Intel E6750, can take significant time. Response 1.66Ghz 2.66Ghz

3 3 Even more, specialized machines such as Copacobana or LMResponse 10× 10 / s 20× 10 / s DeepCrack, which are available only for individuals with NTLMResponse 19× 103 / s 36× 103 / s solid financial background, may not be required to crack DES in the context of the wide-spread of grid systems and NTLM2SessionResponse 18× 103 / s 33× 103 / s as hackers could get control on hundreds to thousands LMv2Response 83× 103 / s 143× 103 / s computers. Therefore the use of protocols based on DES must be avoided in practice. NTLMv2Response 76× 103 / s 143× 103 / s

It is also easy to observe that for answering the challenge in the NTLM protocol it is sufficient to find the DES keys and B) A comparison between Windows and Unix password finding the password itself may not be necessary. based authentication Therefore, because of the use of DES, the protocol can be broken no matter how strong the password is. If recovering The aforementioned LMHash, the 16 byte key material the password itself is needed, using rainbow tables, which obtained from the DES encryption of a predefined constant, are becoming more popular and efficient is also used in Windows NT based OS until Windows (http://www.freerainbowtables.com/), can give good results Server 2003, including Windows XP, to authenticate users very fast. Also, crackers such as Ophcrack on the login screen. In this section we investigate the (http://ophcrack.sourceforge.net/) and Cain&Abel differences bewteen the UNIX and Windows password (http://www.oxid.it/index.html) can be used for rainbow authentication system. cracking LM and NTLM hashes. Any password based system has to store passwords in some Both variants based on LMv2Response appear to be secure, files. Traditionally the encrypted passwords in UNIX are but the security level is arguably weak as MD5 hash stored in the file /etc/passwd. However as this file is function has several weaknesses [17], [20]. However, we publicly accessible, in order to not expose the encrypted do not see at this moment how the well known collision passwords of the users to other users that can attack them, attacks on MD5 images can lead to security breaches in the encrypted passwords are stored practice, but still we find it inappropriate to use MD5 in a in the file /etc/shadow which is accessible only by the root. contemporary solution. It is well known that new designs For example, if we set the user name to "user" and the should use functions from the SHA-2 family [8]. Also, the password to "password" the corresponding line from the use of SHA1 should be avoided as this function also has file /etc/passwd looks like following: weaknesses [19]. user:x:503:503:user:/home/user:/bin/bash For the LMv2 based response it is relevant to note that verifying one password could be done much faster than for The fields of this entry corresponds to the following: LM-Response, this is because computing the HMAC-MD5 nickname:password_hash:UserID:GroupID:Complete_Na is much faster then computing 3 times the DES me:home_dir:shell_bin. What is relevant for us is the "x" permutation. However, faster does not mean better, as after the user that indicates that the encrypted password is cracking passwords that are small, for example less or actually stored in /etc/shadow. If one logs as root and has equal to 6 characters, can be done faster for the access to /etc/shadow it will see the following line: LMv2Response than for the DES based password. We believe that it would be more efficient to take a measure user:$1$WjmoADsj$GymnrxaSCM/EXMShtAbEn0:13 such as iterating the hash over the password several times 536:0:99999:7::: in order to increase the time for a brute force search (this measure was also used in other password based Here the value $1$WjmoADsj$ is a random salting value authentication systems including the one used in UNIX). with which the password is hashed (the salt is needed to Table 1 shows the computational time required by the 5 prevent dictionary attacks). The value responses, the computational time was measured on the GymnrxaSCM/EXMShtAbEn0 is the actual hash of the implementation from [9], which is done in Java and better salted password. The remaining fields include: the

4 minimum number of days between password changes, the DES transformation which is essentially the same maximum number of days until the password must be as using two transformations on the same message. changed, the number of days of warning given before the The fact that the two DES transformations have the password must be changed, the number of days after the same message and independent keys makes password must be changed when the account becomes passwords of length 8, 9, 10, 11, 12 almost as unusable, the date (expressed as the number of days since secure as a 7 character password since 2, 3, 4, 5 January 1st, 1970) when the account is expired. characters are feasible to attack (as one ASCII character has 7 bits, 5 characters will lead to 35 bits If one wants to generate such passwords, then the crypt which certainly can be efficiently brute-forced). command can be used. If a call to crypt("password", This is relevant as according to [18] almost 60% of "$1$WjmoADsj$") is made then the value users passwords are from 8 to 12 characters and the $1$WjmoADsj$GymnrxaSCM/EXMShtAbEn0 is returned. LMHash will not offer more security for these users The $1$ followed by at most 8 characters indicates that the than for the 23% users that have 7 characters encryption is performed using an MD5-based algorithm password. Arguably, 6 characters will also be easy instead of DES (man crypt command can be used for more to crack and therefore 13 characters passwords will details on crypt). not offer more security.

In order to contrast with table 1, by using the UNIX time 3) In the computation of the LMHash all letters are set command, we measured the time required to compute a to uppercase (see the source code from [9] for password and the results are in table 2. It can be easily seen example). This makes alphabetical characters twice that computing UNIX password takes more time than for as easy to break. Windows. 4) The DES transformation can be computed much TABLE 2. Computational time for the crypt command in UNIX faster then the crypt command from UNIX as based systems. experimental results showed. This means that brute force attacks reveal passwords much faster in XP CPU Intel T2300, CPU Intel E6750, than UNIX. To obtain a higher lever of security the 1.66Ghz 2.66Ghz one-way function should have been iterated several 3 3 crypt command 1.3× 10 / s 2.5× 10 / s times in order to compute a password.

In Windows XP, which is for the moment the most widely As a partial conclusions, we can state that Windows XP used version of Windows, passwords are stored in offers less security than UNIX based systems (in particular \system32\config\SAM and \system32\config\SYSTEM from our experimental results were done in Fedora 5.0 but they the windows directory (SAM stands for Security Accounts should be essentially the same in other versions). A recent Manager). Although this file can not be read when note from Microsoft shows how to disable the LMHash Windows is running, it may be accessed by booting from a which will force the use of the more secure NTHash [24]. It DOS system disk or its content can be dumped by some is somewhat disappointing that although Microsoft delivers programs (for example several programs under the name automatic security updates quite frequently, there is no pwdump can perform this task). The most relevant fact is automatic update to disable the LMHash. that passwords are computed as the aforementioned LMHash. We note that the LMHash is disabled in Windows It should be also stated that another way to hack into a Vista, where is replace with the NTHash (computed with system would be to use a bootable disk and simply to the MD4 hash function), but comes as a default with overwrite the password file. However, although this attack previous versions of Windows. is much easier to mount, and there is no cryptographic countermeasure against it, it is commonly acknowledged Now, some differences and weaknesses of Windows OS that it does not have the same security impact as recovering compared to UNIX password system can be resumed (in a the password. This is mainly because of two reasons: first potential order of relevance): is that if the password is overwritten the user will notice that its password was changed and secondly a particular 1) No salt is used in XP and this makes dictionary user password can help break into other accounts of the attacks feasible. On contrary UNIX password are user as well (for example one user may use the same computed using a salt which makes passwords not password to log on Windows XP and on Yahoo mail, and vulnerable to such an attack. breaking it on XP will be much easier and will also give access to the mail account). 2) Using two independent DES transformations makes a brute force attack as hard as breaking only one C) Some remarks on the design of the protocol DES transformation, which is feasible to break nowadays. UNIX does not use DES anymore, and So far we have investigated cryptographic weaknesses of even when it used DES in the past, it was only one the NTLM. However, it should be also stated that protocols

5 can hide design weaknesses which makes possible to break them even if the underlying cryptography has no 1) Level 0: is the less secure option, allowing only the weaknesses. Such an attack, known as a man-in-the-middle LM and NTLM responses to be sent by clients, and attack, was suggested in [4] and is feasible on some disallowing the use of NTLM2 Session Response. variants of NTLM. 2) Level 1: with this option clients can use LM, NTLM, For a complete knowledge of all the attacks that are and NTLM2 Session Response. feasible and to validate the variants of NTLM which are secure a formal verification should be done. This is subject 3) Level 2: indicates that clients can use NTLM and of future work for us. However there is a formal analysis of NTLM2 Session Response. the MS-CHAPv2 protocol done under the AVISPA project and no vulnerabilities were found [23]. MS-CHAP [21], 4) Level 3: indicates that clients can use only the [22] is another challenge-response authentication protocol NTLMv2 response. from Microsoft and is similar to NTLM. Since NTLMv2 is somewhat analogous to MS-CHAPv2, and no attacks were 5) Level 4: allows clients to use only the NTLMv2 found on the MS-CHAPv2 [23], it is likely that NTLMv2 response, and explicitly denies LM responses to be also has no flaws. It should be also stated that there are two accepted by the authenticating server. versions of MS-CHAP and both of them were analyzed by Schneier et al. [15], [16] who found several cryptographic 6) Level 5: allows clients to use only the NTLMv2 weaknesses. response, and explicitly denies both the LM and NTLM responses to be accepted by the authenticating D) The practical use of NTLM in SharePoint Solutions server.

The NTLM authentication protocol is frequently used in The default installation of Windows Server 2003 comes Microsoft Windows networks and its use is not restricted to with the default level 2, which is completely unsafe as it SharePoint solutions; it can also be used as an uses older versions of the responses: NTLM and NTLM2 authentication mechanism for other applications, such as a Session Response. The newest operating systems from custom web application. The NTLM security levels can be Microsoft (Windows Vista and Windows Server 2008) accessed and modified in the Windows Registry by resolve this issue by enforcing clients to use only the changing the lmcompatibilitylevel DWORD value located NTLMv2 response. However, Windows Server 2003 is still at the following registry key: largely used in production, being currently the most used HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Microsoft server operating system. Control\Lsa as shown in figure 3. A technical article on the lmcompatibilitylevel setting can be found in [10]. With respect to the discussion on NTLM from section II, we can establish the recommended security levels. Unsafe configurations are levels 0, 1, or 2. This is because the clients would always attempt to use the unsafe versions of NTLM: LM, NTLM, or NTLM2 Session Response. Safe configurations are levels 3, 4, or 5. This is because clients are required in these cases to use the NTLMv2 response, which offers a much stronger authentication.

Consequently, it is recommended to set the lmcompatibilitylevel value to a value greater or equal to 3 whenever possible. The most common restriction of using the recommended security level is when needed to accommodate legacy clients that do not support the NTLMv2 response (such as Windows 95/98, or non- Windows computers). However, still a great number of organizations overlook this security breach and do not change the default security level even when this is feasible. This is mostly because authentication protocols are widely misunderstood or their importance underestimated. As practice shows, in most cases, user consider to increase security levels only after critical situations occur due to Fig. 3. Setting the lmcompatibilitylevel in Windows registry lack of security. Therefore it is likely that weak security levels will continue to be used in Windows. The available levels set by the lmcompatibilitylevel variables are:

E) A practical example: attacks over SharePoint based automatically allowed access on the SharePoint site due to portals his domain credentials he is logged on with on the domain.

A possible attack on the authentication from SharePoint From this point on, the relevant parts of the captured applications is done by capturing network traffic passing packets can be easily extracted for further analysis. For between a client requesting a resource on a SharePoint site example, when a password set to “poli” was used (the and the authenticating server. This could be done for password is indeed small, but we use it just as a proof of example by an intruder in the company’s local area concept) for authenticating a user on a SharePoint site network, or even by an employee of the company trying to using the default security level of 2, a packet containing the steal sensitive information. After capturing packets, the following information was captured: intruder can mount an attack to find the password of the victim in order to illegitimately authenticate afterwards to a Session nonce = challenge || clientNonce protected resource by using the victim’s username and =0x56c873557e88dcb2 || 0x08433915f46b868b password. =0x56c873557e88dcb208433915f46b868b 27d151b1037f79c2a5c2646826de164e To simulate a practical attack, Wireshark (http://wireshark.org) has been used as the tool for capturing network protocol traffic between a client and a NTLM Response= server. The target environment tested is the most typical DESKK123( sessionHash) || DES( sessionHash) || DES K( sessionHash) scenario used by companies to implement SharePoint =0x86ff70f0483b5de2fd31c2b42fec17f80 solutions. It is composed of: a Microsoft Office SharePoint d98bb9b887dab6b Server (MOSS) 2007 hosted on a Windows Server 2003 R2 SP2 machine, acting also as a domain controller and DNS Since the NTLM2 Session Response was used, the value of server, and a Windows XP SP2 client machine. The target sessionHash was computed as shown previously environment has been virtualized by using Microsoft’s sessionHash= MD5|| challenge clientNonce . The packet Virtual PC 2007. This configuration was set up only for ( ) experimental purposes, but it simulates with high fidelity a fragments from above are the most important parts of the real world environment. messages exchanged between the client and the authentication server, which could then be used for The first step taken in the set up of the test environment revealing the user’s password. Subsequently, the password was the initial installation of the server operating system. was found by an exhaustive search in a matter of hours. After all the initial configurations were done and the Although this password is small, and useful just as an network interface has been connected to the local area artificial example, it may be meaningful as several papers network and assigned a private IP address, the server was point out that user still choose small passwords. For promoted to a domain controller and the DNS server role example according to [18] 65% precent of the users use was added for internal name resolution. Further, the passwords of 8 characters or lower. Because of the low prerequisite software necessary for MOSS 2007 was entropy, as ASCII digits loose one bit of information on installed: .NET Framework 2.0, Internet Information each byte, these passwords can be easily cracked. For Server (IIS) 6.0 with the World Wide Web service, and example a password of 6 chars can be cracked in a matter SQL Server 2005 for hosting the MOSS databases. Then, of days and about 15% of users choose passwords of this after the initial configuration of the SharePoint farm and size according to [18]. after starting the SharePoint services, a new web application has been created to host a collaborative SharePoint site. The configuration for the SharePoint web IV. CONCLUSIONS application and site collection has been done through the MOSS Central Administration console on the server. As a final conclusion we believe that using any of the variants based on the LM Response must be avoided. This Then, after the configuration of the SharePoint farm, a new is because as DES can be cracked in present days by a web application has been created to host a collaborative brute force search on the DES key-space. Also, the SharePoint site. A domain user has been created on the adversary does not even need to recover the password itself domain controller, and this user has been imported to the in order to respond the challenge, the LM Response based previously created SharePoint site. variants could be all cracked, no matter what is the entropy of the password and its length. Using the Wireshark tool, a new network traffic capture was started for the network interface between the two Also, for LMv2 based response it is relevant to note that machines involved in the communication. When the user verifying one password could be done much faster than for attempts to authenticate to a SharePoint resource he will LM-Response and therefore, cracking passwords that are need to enter his password on a logon window, or he can be small, for example less or equal to 6 characters, can be done very fast even for the LMv2 Response. In large, we

7 think that LM Response based variants must disappear [18] B. Schneier, “Real-World Passwords”, 2006, from practice, while the LMv2 will need to be replaced by http://www.schneier.com/blog/archives/2006/12/realworld_passw.h tml. a new design in the near future. [19] X. Wang, Y.L. Yin, H. Yu, “Collision search on SHA1”, http://theory.csail.mit.edu/ ~yiqun/shanote.pdf, 2005. As an immediat measure, the LMHash must be disabled [20] X. Wang, H. Yu, “How to Break MD5 and Other Hash Functions”, and the lmcompatibilitylevel value should be set to the Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of highest level possible. Also, even it is not a consequence of Cryptographic Techniques, pp. 19-35, 2005. this paper, but a general aspect, passwords of less than 8 [21] G. Zorn, S. Cobb, “Microsoft PPP CHAP Extensions”, RFC 2433, characters or with low entropy must be avoided. As Microsoft Corporation, 1998. SharePoint starts to be widely used, user sensitive [22] G. Zorn, “Microsoft PPP CHAP Extensions, Version 2”, RFC 2759, Microsoft Corporation, 2000. information may be exposed by the weaknesses of an [23] The AVISPA Library of Protocols, CHAPv2, http://avispa- authentication protocol such as NTLM. For the long term project.org/library/CHAPv2.html. developing stronger authentication mechanisms, such as [24] Microsoft, How to prevent Windows from storing a LAN manager two factor authentication should be considered. hash of your password in Active Directory and local SAM databases, http://support.microsoft.com/kb/299656, 2007.

REFERENCES

[1] M. Bellare, R. Canetti, H. Krawczyk, “Keying Hash Functions for Message Authentication”, Advances in Cryptology – CRYPTO 96, LNCS vol. 1109, Springer-Verlag, 1996. [2] E. Biham, A. Shamir, “Differential cryptanalysis of DES-like cryptosystems”, Technical report CS90-16, Weizmann Institute of Science, CRYPTO'90 & Journal of Cryptology, Vol. 4, No. 1, pp. 3-72, 1991. [3] Colin Boyd, Anish Mathuria, Protocols for Authentication and Key Establishment, Springer Verlag, 300 pages, ISBN-13: 978- 3540431077, 2003. [4] Jesse Burns, Information Security Partners, “NTLM Authentication Un-safe”, http://www.isecpartners.com/files/NTLM_Unsafe_0.pdf, 2004. [5] John A. Clark, Jeremy L. Jacob, “A survey of authentication protocol literature”, available at http://www.cs.york.ac.uk/jac/papers/drareview.ps.gz, 1997. [6] D. Coppersmith, “The Data Encryption Standard (DES) and its strength against attacks”, IBM Journal of Research and Development, 1994. [7] FIPS 46, Data Encryption Standard (DES), National Institute of Standards and Technology (NIST), U.S. Department of Commerce, 1976. [8] FIPS 180-1, (1995), 180-2, Announcing the Secure Hash Standard., National Institute of Standards and Technology (NIST)., U.S. Department of Commerce, 2002. [9] E. Glass, “The NTLM Authentication Protocol and Security Support Provider”, http://davenport.sourceforge.net/ntlm.html. [10] Jesper Johansson, “Security Watch: The Most Misunderstood Windows Security Setting of All Time”, http://technet.microsoft.com/en-us/magazine/cc160954.aspx, 2006 [11] M. Matsui, “Linear Cryptanalysis Method for DES Cipher”, Advaces in cryptology, EUROCRYPT'03, LNCS 765, 1993. [12] A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography. CRC Press, 1996. [13] R. Rivest, “The MD5 Message-Digest Algorithm”, MIT Laboratory for Computer Science and RSA Data Security, RFC 1321, 1992. [14] D. Sanai, H. Seki, "Optimized Attack for NTLM2 Session Response", http://www.blackhat.com/presentations/bh-asia-04/bh- jp-04-pdfs/bh-jp-04-seki.pdf, 2004. [15] B. Schneier and Mudge, "Cryptanalysis of Microsoft's Point-to- Point Tunneling Protocol (PPTP)," Proceedings of the 5th ACM Conference on Communications and Computer Security, ACM Press, pp. 132-141. [16] Schneier, B., Mudge and D. Wagner, “Cryptanalysis of Microsoft's PPTP authentication extensions (MS-CHAPv2)”, in: R. Baumgart, editor, CQRE, Lecture Notes in Computer Science 1740 (1999), pp. 192-203. [17] B. Schneier, “Cryptanalysis of MD5 and SHA: Time for a New Standard”, http://schneier.com/essay-074.html, 2004.